Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Scan of the week
(page 1 of 2)

I’ve been seeing this for some time so you will see it soon too. We speak here mostly about SNMP probes coming from a set of very specific IPs. If you do a search on IP you get to the webpage below (critical.io ) , explaining to the reader that it constitutes a vulnerability/misconfiguration disclosure effort by HD Moore exercised on the wide Internet for our own good . I haven’t had answer from Hd Moore himself (probably because of Defcon:) ) so can’t really deny nor confirm this claim I did heard I did hear from him, it is indeed scans done by him.
Anyway, as the scans are much more frequent/agressive than usual attack/scan attempts I see everyday, I decided , while not seeing them as any threat, to filter them out and here are IP addresses if you decide too.
IPs:
69.175.126.168/29 69.175.126.170
184.154.42.192/29 184.154.42.194
173.236.44.96/29 173.236.44.98
69.175.54.104/29 69.175.54.106
173.236.30.120/29 173.236.30.122
96.127.150.216/29 96.127.150.218
Screenshot of the website hosted on aforementioned IPs:

Today i did an improvised poll at work who is using the 2 factor authentication with their Gmail mail account and got only one positive answer – me 🙂 . The question was in turn inspired by the article in Atlantic Monthly where James Fallows depicts in detail his wife’s Gmail account being hacked and how much trouble it was to get it back. I can only add that not using absolutely free and easy feature to safeguard your precious asset, mail account – is pretty reckless in our time . Just imagine what it would be to have ALL your Gmail inbox emptied and have your access to the account lost due to a hack …
I’ve always known that the best way to solve the problems is to prevent them from occurring at all, so go ahead and use this Gmail feature and have less problems in life to solve .
My personal experience of few months is that it works with any mobile provider in Israel and it is pretty much ‘ set and forget ‘ type of configuration, just be able to receive once a month SMS , it can’t be any easier I guess. Advanced sign-in security for your Google account

NMAP is probably the most known long standing and community involved security-related project in the Open Source universe ever. And it is quite naturally to think that there is nothing left to be done to improve it by end users like us, and of course the opposite is the case. If we forget for a second all the complex C/C++/Lua/etc coding involved to sharpen the algorithms and performance of the Nmap, after all it is a signature based network scanner that is as good as its signatures are. And here you can never get enough.
Just find some over the shelf network equipment, run a scan on it , be surprised that it is not recognized by Nmap and contribute its signature back to the Nmap communa, then buy yourself a beer and put a sign in your cube ” I contributed to Nmap” 🙂
— So how do you do this? Piece of cake.
When running scan with -sV option (version detection of the software) if the target is not known to the Nmap it will print out as the output the Nmap-style fingerprint of the scanned service. It is ok to just take copy and paste it here : http://insecure.org/cgi-bin/submit.cgi, but then I wouldn’t write this article. So let’s do some practice.
There is a nice anti-spam and anti-virus appliance called PineApp Mailsecure , produced by Israel company named (surprise ..) Pineapp and which is quite popular at least here in Israel. Unfortunately Nmap does not recognize it beyond having an opened port of 25.
Here is the result of the Nmap scan.

So let’s fix this,but first some preliminary knowledge of importance.
All its service signatures Nmap keeps in the file nmap-service-probes that has some predefined keywords that are easy to remember and use :
-First we want to create a probe to define what string to which port to send, it goes like this:
In our case the target service is SMTP so no changes are due to the existing probe,

Probe TCP Hello q|EHLO\r\n|

The above means send word EHLO once connected.
Next line starts with the word rarity and its value. The higher the number the less is the probability of running this service probe, leave it as is in our case, as it will be run if previous port scanning reports port 25 as open.rarity 8
The rarity line is followed by the list of ports for which this service probe will be triggered once they are reported as open. Again , in our case we leave it as is:ports 25,587,3025
Then goes sslports keyword to specify SSL enabled ports, finally followed by totalwaitms also of no interest here .
Now we come to the good stuff – many lines doing matches of different vendors/equipment that all and each start with keyword match. let’s have a closer look at it:
match m|matching regex pattern Perl style| [version/device/hardware optional info]
The best way to get it is via an existing match in the file:

It basically says:
Send EHLO command to the target,check output the output from the target and look for string that starts with 220 followed by printable string of variable length, followed
by word DP- then decimal number, note – here () allow to later reference the matched part of the string inside (), followed by Return and New Line char (\r\n), followed by word “250-DSN” and finally followed by return + new line (\r\n). If such match is found then print to the terminal string “Panasonic smtpd” , in version field (v/$1/) print what was matched by (DP-\d+) and in device type field print printer (d/printer/).
That is it to it. Now let’s create a signature for the PineApp.
We have 2 options here – to actually run a scan against the PineApp target and decipher the output, or , what I do here, use the common sense.
First I will try to do what Nmap Probe EHLo does – namely connect by telnet to port 25 and issue EHLO command. After that I will try to compile a regex expression matching the output.

Well, the regex is not that hard to do here:match smtp m|^220 Ready to receive mail -=- ESMTP\r\n| p/PineApp Mail-secure/ i/PineApp Av and Antispam mail gateway/ o/Linux/
I edit /usr/local/share/nmap/nmap-service-probes and insert the above regex under Probe TCP Hello where the matches start, save it and run the Nmap on the same host not recognized before:

Anything connected to the Internet will be hacked in someday and RSA is no exception.The
open letter is here Open Letter, but more interesting are best practices published in response to the attack – www.sec.gov

Cisco gear has a well-known behaviour pattern that when you telnet to some weird and positively closed port on Cisco you get the uniform response of “Connection refused” . To add more precision it happens when a terminal line management access is enabled on the Cisco but your IP is not in the access-list allowing access to the device. The funny thing about that is that only Cisco seem to do it , and given so, it makes exposing a Cisco device a no-brainer. I tested it on few dozens of Cisco routers (I don’t talk about other equipment from the Golden Gate folks) and it only confirmed this observation. Also I tested telnetting to the other vendors’ equipment and always got back time out. So far I’ve tried Juniper, Brocade, IBM, Huawei. To somehow fix this situation Cisco actually have a feature in their Control Plane Protection toolbox just for that. Below I bring the configuration from IOS router that causes the router to time out connection attempts to the closed ports.

NB Unfortunately it is a half-solution cause if telnet access is enabled on the Cisco then connection attempts to the port 23 will elicit the same “Connection refused” . To close even this disclosure hole , disable telnet as the management protocol and switch to SSH.
NB2 The good news for the pentesters out there is that rare ISP implement such protections

At 19th of October the 1st Russia channel aired the TV show called “Пусть говорят, Однажды в Америке” , dedicated to Zeus trojan story. You all saw and heard about this FBI operation that brought some 38 people to the captivity. The talk show on the most
available and popular Russian public channel brought parents/relatives of the arrested
suspects and the girl that by her words took part in this scam a year before.
The majority of the people in the studio clearly stated that these guys and gals are
plain thieves (except their parents , understood) – a major progress I should say, over the years. The sum up of the main points comes next:
– Those are low rank droppers/mules;
– They didn’t have personal direct contact with any of the masterminds of the scam. All their communication was through ICQ/forums/ all things Internet
– For them it was just another way to earn the money. Sounds plausible as there were other youngsters at the same apartment that came through the same student exchange program and still choose NOT to get involved as had other income.
– All claim that agreed to do it only because were in a dire financial situation. Also
probably true. Even tough according to the exchange program they all are provided with work on their arrival to the US. Also the girl in studio (Anna Savenko [Анна Савенко]) noted that she agreed to be a scammer after she was fired from the work.
– All of them were recruited into this by people already in the business and were told the same story of ” Many American companies try to lower their taxes by transferring money to people like her ” . Lame story for those willing to believe and feel good about themselves.
– They were encouraged by the absence of the minimal vigilance by the US banks. Anna recalled that she opened the account (with fake passport) and when she came to the bank
to withdraw the money, the clerk asked her where she was expecting money from , and she could only say “Don’t know” and still was given the cash.
– Russia as a state pretty much doesn’t give a heck about those citizens in jail – pro bono
advocates is their way to go (if they only were spies …)
if your Russian is good enough try searching the Net for “”Пусть говорят, Однажды в Америке SATRIP” and you will get the show recording in full.
Link to the show forum , just in case: forum.1tv.ru